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DETAILED ACTION 

1. Claims 1 - 21 have been presented for examination. Presently, pending claims 
are 1 -21, 

Response to Arguments 

1 . Applicant's arguments with respect to the subject matter of the instant claims 
have been fully considered but are not persuasive. 

2. As per claim 1 , 8 and 15, Applicant first asserts: "Drake's storing events in a 
database table is not the same as grouping event attributes into an event set (Remarks: 
Page 9, 1®^ Para)". Examiner respectfully disagrees with the following rationale: 

• Drake teaches (a) the event detection system features by collecting statistic 
data based on category, user and platform in order to analyze statistical data and detect 
intrusion events (Drake: Column 15 Line 60-63); (b) dynamically increasing (i.e. 
aggregating) the number and type of events added to the database during a suspected 
intrusion attempts (Drake: Column 7 Line 49 - 52). Therefore, Examiner notes Drake 
does teach: "grouping event attributes into an event set" and as such Applicant's 
arguments are respectfully traversed. 

3. Applicant first asserts: Drake does not teach: "an event set includes a source 
attribute, a target attribute and an event category attribute (Remarks: Page 9, 2"^ Para). 
Examiner respectfully disagrees with the following rationale: 
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• Drake teaches (a) collecting statistic data based on the following key 
parameters: event category, user, platform and interval (Drake: Column 15 Line 65 - 
67); (b) in one embodiment, as taught by Drake, the event category can be 
"authentication failures" (Drake: Column 14 Line 18-21), which also appears on the 
instant application (SPEC: Page 12 Line 22-23) : where the source attribute is 
considered as a specific user entity and the target attribute is considered as a specific 
platform - the target / platform attribute, in this case, is merely interpreted as an entity 
that detects / recovers the fault in an event detection system (Drake: Column 19 Line 2 
- 4 & Line 16 - 18). Therefore, Examiner notes Drake does teach: "an event set 
includes a source attribute, a target attribute and an event category attribute" 

• Applicant's arguments fail to comply with 37 CFR 1.111(b) because they 
amount to a general allegation that the claims define a patentable invention without 
specifically pointing out how the language of the claims is patentably distinguished over 
the prior art and as such Applicant's arguments are respectfully traversed.' 

4. Applicant asserts: Drake does not teach: "calculating severity levels for the 
groups, wherein a severity level for a group is a function of a number of events 
comprising the group and values of common elements in the group (Remarks: Page 9, 
3''^ Para). Examiner respectfully disagrees with the following rationale: 

• Drake teaches calculating severity levels for the groups, wherein a severity 
level for a group is a function of a number of events comprising the group and values of 
common elements in the group (Drake: Column 12 Line 29 - 30, Column 16 Line 15 - 

1 8, Column 1 1 Line 38 - 50, Column 1 6 Line 1 5 - 1 8 and Column 1 4 Line 18-21: with 
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respect to "authentication failure"). On this regard, Applicant further argues that Drake 
merely discloses the use of assigning a security level to a record and is not to a group 
of events as recited in the claim (Remarks: Page 10, 2"^ Para). Examiner respectfully 
disagrees because a group of events are formed and established as "authentication 
failures", for example, as set forth in the discussion above and the severity level for this 
group is indeed a function of a number of events comprising the group and values of 
common elements such as common user entity (source) and platform entity (target) and 
the mathematical function of a number of events are compared against predetermined 
thresholds in order to assign a severity level to that event group (Drake: Column 12 Line 
29 - 30, Column 1 6 Line 15-18, Column 1 1 Line 38 - 50, Column 1 6 Line 1 5 - 1 8 and 
Column 14 Line 18-21) and as such Applicant's arguments are respectfully traversed. 



Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraph of 35 U.S.C. 102 that 
forms the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defmed in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 2 1 (2) of such treaty in the English language. 



2. Claims 1 - 4, 8 - 1 1 and 15 - 18 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Drake et al. (US Patent 6,347,374). 
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As per claim 1 , 8 and 15, Drake teaches a method in a data processing system 
for reporting security situations, comprising the steps of: 

logging events by storing event attributes as an event set, wherein each event 
set includes a source attribute, a target attribute and an event category attribute (Drake: 
Column 1 2 Line 43 - 45, Column 1 5 Line 60 - 67 and Column 1 9 Line 2 - 4 & Line 1 6 - 
18: (a) collecting statistic data based on the following key parameters: event category, 
user, platform and interval (Drake: Column 15 Line 65-67); (b) in one embodiment, as 
taught by Drake, the event category can be "authentication failures" (Drake: Column 14 
Line 18-21), which also appears on the instant application (SPEC: Page 12 Line 22 - 
23); where the source attribute is considered as a specific user entity and the target 
attribute is considered as a specific platform - the target / platform attribute, in this case, 
is merely interpreted as an entity that detects / recovers the fault in an event detection 
system (Drake: Column 1 9 Line 2 - 4 & Line 16-1 8)); 

classifying events as groups by aggregating events with at least one attribute 
within the event set as an identical value (Drake: Column 7 Line 49 - 52, Column 12 
Line 2-4, Column 12 Line 38 - 41 and Column 16 Line 1 - 8, Column 1 1 Line 38 - 50, 
Column 1 4 Line 18-21, Column 1 5 Line 60 - 63: (a) Drake teaches aggregating the 
correlated raw events into event groups with at least one attribute within the event set 
as an identical value such as same user ID, or same group type as "authentication 
failure" to generate an alert of severity situations, (b) the event detection system 
features by collecting statistic data based on category, user and platform in order to 
analyze statistical data and detect intrusion events (Drake: Column 15 Line 60 - 63), (c) 
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dynamically increasing (i.e. aggregating) the number and type of events added to the 
database during a suspected intrusion attempts (Drake: Column 7 Line 49 - 52)). 

calculating severity levels for the groups, wherein a severity level for a group is a 
function of a number of events comprising the group and values of common elements in 
the group (Drake: Column 1 2 Line 29 - 30, Column 1 6 Line 15-18, Column 1 1 Line 38 
- 50, Column 1 6 Line 15-18 and Column 1 4 Line 1 8 - 21 : the "authentication failure" 
is qualified to meet the severity level as an event caused by the failures of a user login - 
i.e. a group of events are formed and established as "authentication failures", for 
example, as set forth in the discussion above and the severity level for this group is 
indeed a function of a number of events comprising the group and values of common 
elements such as common user entity (source) and platform entity (target) and the 
mathematical function of a number of events are compared against predetermined 
thresholds in order to assign a severity level to that event group). 

reporting a group from the groups to a user as a situation, if a severity level of the 
group exceeds a threshold value (Drake: Column 1 1 Line 38 - 50 and Column 14 Line 
18 - 21 : the "authentication failure" is qualified to meet the severity level as an event 
caused by the failures of a user login when the aggregating events exceed the 
predetermined number (i.e., threshold = 3) as taught by Drake). 
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As per claim 2, 9 and 16, Drake teaches the severity levels are calculated based 
on at least one of the number of event sets within each of the groups, the source 
attribute of the event sets within each of the groups, the target attribute of the event sets 
within each of the groups, and the event category attribute of the event sets within each 
of the groups (Drake: Column 1 1 Line 38 - 50 and Column 1 4 Line 18-21: Drake 
teaches aggregating the correlated raw events into event groups with at least one 
attribute within the event set as an identical value such as (a) same user ID, or (b) same 
group type as "authentication failure" to generate an alert of severity situations). 

As per claim 3, 1 0 and 17, Drake teaches the events include at least one of a 
web server event, an electronic mail event, a Trojan horse, denial of service, a virus, a 
network event, an authentication failure, and an access violation (Drake: Column 14 
Line 18 - 21 : authentication failures). 

As per claim 4, 1 1 and 18, Drake teaches calculating the threshold value based 
on at least one of the source attribute of the event sets within the group, the target 
attribute of the event sets within the group, the event category attribute in each event 
set of the group, and the number of attributes in each event set of the group that are 
held constant across all of the event sets in the group (Drake: Column 16 Line 13-18 
and Column 14 Line 18-21). 
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Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

A person shall be entitled to a patent unless - 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made, 

3. Claims 5 -7, 12 - 14 and 19 - 21 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over in view of Drake et al. (US Patent 6,347,374), in view of Burrows et 
al. (US Patent 2002/0073338). 

As per claim 7, 14 and 21 , Drake does not disclose expressly aggregating a 
subset of the groups into a combined group. 

Burrows teaches aggregating a subset of the groups into a combined group 
(Burrows: Para [0050] and Para [0046] Line 10-11: similar to the Figure 8 / Element 
804/806/802 of the instant application, the single source computer that causes 
broadcast storms to any of the unspecified destination computers, as taught by 
Burrows, does indeed generate a combined group of events. Likewise, it applies to the 
similar situation of denial-of-service attacks). 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to combine the teaching of Burrows within the system of Drake 
because (a) Drake teaches improving network security by providing an effective event 
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detecting systems (Drake, see example. Column 2 Line 4-8 and Column 3 Line 34 - 
35]) and (b) Burrows teaches managing and tracking computer security incidents that 
may occur in a network computer system by effectively detecting any types of behavior 
and undesirable patterns of packet traffic (Burrows: Para [0019]). 

As per claim 5, 12 and 19, Drake does not disclose expressly the target attribute 
represents one of a computer and a collection of computers. 

Burrows teaches the target attribute represents one of a computer and a 
collection of computers (Burrows: Para [0050] and Para [0046] Line 10 - 1 1: the target 
attribute could be the single server computer that causes denial-of-service or a 
collection of computers such as broadcast storms). 

Same rationale of combination applies herein as above in rejecting the claim 7. 

As per claim 6, 13 and 20, Drake does not disclose expressly the source attribute 
represents one of a computer and a collection of computers. 

Burrows teaches the source attribute represents one of a computer and a 
collection of computers (Burrows: Para [0050] and Para [0046] Line 10 - 1 1: the source 
attribute could be the single source computer that causes broadcast storms to any of 
the unspecified destination computers or as a collection of computers such as denial-of- 
service attacks). 

Same rationale of combination applies herein as above in rejecting the claim 7. 
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Conclusion 

THIS ACTION IS MADE FINAL, Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Longbit Chai whose telephone number is 571-272-3788. 
The examiner can normally be reached on Monday-Friday 8:00am-4:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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Examiner 
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